CIO Bulletin

An expert delivering complete security control validation platform to help businesses stay proactive: Picus Security

In 2013, Picus Security pioneered Breach and Attack Simulation (BAS) technology and has helped companies improve their cyber resilience since then. Established by cybersecurity veterans with academic backgrounds and extensive hands-on experience, Picus Security developed a transformative Security Validation solution for end-to-end attack readiness visibility and effortless mitigation to pre-empt cyber attacks across all cyber defense layers. Picus’ “The Complete Security Validation Platform” provides granular and actionable insights for operational and executive teams, helps built proactive capabilities, maximizes technology utilization, and thus optimizes return on investment and keeps the risk of getting breached consistently low. Picus couples its vendor-agnostic assessments with vendor-specific prevention content for the most widely used Intrusion Prevention System (IPS), Next-Generation Firewall (NGFW), and Web Application Firewall (WAF) technologies. This end-to-end approach lowers time to respond by enhancing visibility and providing prevention content.

Log validation with attack simulation

Picus Security Control Validation Platform makes sure that SOC teams maintain a well scoped and threat-aware log base that always covers changes in adversarial landscape and technology infrastructure. Given the complexity of the log management function, SOC practitioners have to deal with all combinations of failure involving malfunctioning log sources, invalid log format or temporary service disruption, while adapting the scope of log collection to the changing adversarial landscape. A threat-centric validation process allows SOC teams to proactively and consciously address these challenges by identifying:

Links between logging gaps and attack techniques
Problems with originating or shipping logs
Challenges in identifying log sources and level of verbose

Starting from scoring attack vectors and revealing critical weak links, Picus is able to break down vector scores into individual contributions from each security control. Security scores of each solution will be calculated as a percentage of the full mitigation potential, given by the available policy set provided by its vendor on the date of operation. Scores on each attack vector will be shown per attack category (i.e. web application), sub category (i.e. cross scripting), kill chain stage and MITRE ATT&CK mapping for endpoint scenarios. It is highly recommended to carefully design attack vectors and perform an initial validation of the prevention layer to identify weak links in the first stages of the Picus deployment. Then, mobilize your security operation teams for root cause analysis, run an assessment with Picus Detection Analytics and identify not blocked and not logged attacks. Starting from threat emulation outcomes, Picus Detection Analytics drives log validation with actionable data. Picus reveals the journey of a threat with an end to end view of attack status (including start, end time), log status and delivery timeline, and alert and prevention status. Threats can be searched using advanced filtering criteria (severity, log source, alerts status etc.).

Q. How Picus is solving challenges?

Picus improves log coverage and detection rules based on actual defensive capabilities and enhances SIEM efficacy proactively. Integrations with major platforms contain extensive vendor-specific and sigma-based detection content. Adapting the detection rule base on the changing adversarial context is a difficult task. This difficulty results in detection gaps, false positives, alert noise, and alert fatigue. Challenging SIEM detection rules with an extensive attack simulation and using an automated platform addresses some key challenges. The Picus platform offers security insights that combine detection gaps and detection content, empowers red and blue team practices, and makes purple teaming an integrated capability whereby cyber defense teams can improve security posture.

Optimize Endpoint Logging by Leveraging Threats

Picus Detection Analytics shows vendor-specific detection rules for SIEM and EDR platforms by TTPs. Filtering options allow users to narrow down the content based on severity, log source, MITRE ATT&CK tactic or technique release date. Each detection rule is presented alongside log sources and policy requirements that need to be enabled on endpoints. While testing for a sizable sample of tactics and techniques as displayed in the MITRE ATT&CK view, users should prioritize and address “not logged” (not detected) threats and attack actions in order to improve coverage quickly. In the long run, by developing a process around attack simulations that endpoints detected or missed, SOC engineers can establish a log baseline for endpoint segments and make decisions on which logs can be turned off to avoid overloading the SIEM infrastructure.

SIEM Log agents and collection software can malfunction due to configuration errors, software bugs, expired licenses, old APIs, and other factors. Also, the complexity, size, and load of the networks can strain the flow of data. If security controls technologies have not been made ready against new adversarial techniques, they will be blind to attacks that contain them. As security controls will not detect such attacks, they will not generate logs. Decisions on data sources, types, and granularity requires significant elaboration on alternative costs. Each new log adds complexity, takes disk space, puts a load on the correlation engine, and consumes the “events per second” license pool. As a trade of, missing logs may result in some malicious events not being detected. SOC teams must be aware of architectural changes, new deployments, new applications and retiring technologies to keep log management aligned with these changes that are handled by network operations, IT security, DevOps and other.

1. Alper Memis, Co-Founder and CEO